NIS+ user setups

[DedeMole]

ok I am running Solaris 8 with NIS+... On the server I have 15 user accounts setup and work on the server. However I can't logon a client with one of these user accounts that exisist on the server. I get the error message Login incorrect try again. BUT when I logon the client as root and and type ls /var/nis or nisls org-dir I get the correct responses, which means (I think) that the NIS+ is setup correctly... (ps I can ping all the clients from the server and the server from all the clients, I also have /data shared out of the server and all the clients can mount and see everything in the /data)...

What do I need to do to be allowed to logon a client with a user account that exist only on the server???

Thanks for any help...

 

[naggiman]

Is keyserv daemon running correctly?

Is the client authenticated correctly? As root
# nisdefaults

This should not show "not authenticated"

Is /etc/nsswitch.conf set up correctly on the client for passwd table? Should be either:
passwd: compat
passwd_compat: nisplus
or
passwd: files nisplus

Is the effective password entry correct on the client, i.e.
# getent passwd.org_dir.domain. <username>

WHat are the results after looking at these?

 

[jad]

you say you have 15 users, can 14 of them log in to the client but not the 15'th?

if this is the case then that user needs to have their credentials altered on the server (they aren't properly authenticated)

easiest way is to:

nisaddcred -p <uid> -P <username>.<domainname> local
nisaddcred -p unix.<uid>@<domainname> -P <username>.<domainname> des

if the machine cannot access any accounts, then you probably need to do a 'chkey -p' and a 'keylogin -r' (i forget which order you do them in ...

you might need to play with the credentials for the client as well. look at the 'nisclient -c -o' command.

you might also want to check that the client isn't in the ethers incorrectly.

 

[DedeMole]

Thank you both naggiman and jad.... naggiman I did the nisdefaults and got back the correct information about the network. I checked the /etc/nsswitch.conf file and it has
passwd: files nisplus

I then did the getent passwd.org_dir.mydomainname.mach01 and got
unkown database: passwd.org_dir.mydomainname.mach01
usage: getent database [key]

Jad- none of my 15 clients can login with usernames from the server....

What did I forget to do to setup my users???

 

[jad]

ok, as root o one of the clients type:
niscat passwd.org_dir

and check that the 2nd field is populated with something sensible (similar to /etc/shadow)

if you have that; then the problem probably resolves down to setting up credentials for each client on the server. (one way to test for this is to 'telnet' to the server and log in as the user ... it usually says some stuff about credentials when they do.

if the 2nd field is a * or *LK* or similar then it is probably the client which needs authentication.

 

[DedeMole]

jad I ran niscat passwd.org_dir on the client and got back

mach01:cz23GYFX1NeoQ:101:100::/home/mach01:/bin/csh:12118::::::

I also telnet the server and logged on as mach01 and got
xlib:connection to &quot;Student-01:0.0&quot; refused by server
xlib: invaild MIT-MAGIC-Cookie-1 key
xmbind: can't open display

(Student-01 is the client name(machine name) and mach01 is the user name on the server)
So does this mean I have credential problems with my client and if so how do I resolve that??

ps THANKS for the help...

 

[jad]

dont worry about that too much ... that is because you have some stuff set up to set the display to point at the local machine, and you haven't 'disable access control'd it

do you not get a command prompt when you telnet?

the client appears to be set up correctly.

when you create users you have to create credentials for the users, if you don't know their passwords they will have to telnet to the server and type 'chkey -p' and the first password they type in will probably be 'nisplus' or similar

to create credentials as the root user:

nisaddcred -p <uid> -P <username>.<domainname> local
nisaddcred -p unix.<uid>@<domainname> -P <username>.<domainname> des

and it will ask you for their password once (can't remember which one of the lines asks you, i have it in a script)

if you change someones password for them as root you will need to add credentials for them as well.

i also have an add-user script which does a hell of a load of work which i could stick on here if it'd help you.

 

[DedeMole]

jad I'm confused (not that is hard for me), to create credentials for the user do I go on the server login as the user (mach01) and then do these commands??
nisaddcred -p <uid> -P <username>.<domainname> local
nisaddcred -p unix.<uid>@<domainname> -P <username>.<domainname> des

Or do I logon the server as root and do those commands, or logon the client as root and do those commands??

And yes I would love to see your script please...

and yes when i'm on a client and telnet to the server and logon as the user (that is only on the server) I get a command prompt....

Thanks...

 

[jad]

ok, the nisaddcred lines are for root, to add fresh credentials for the user.

if the user (mach01) can connect with a prompt onto the server (either telnet'ing if possible or logging on to the machine) then they (mach01) can type 'chkey -p' to set their credentials.

if you know their password, it seems easier for me to set the credentials as root.

file: addnisplususer.ksh

#!/bin/ksh
#************* addnisusers.sh ***************
# addnisuser.sh - ksh script for add user to
# NIS+
#********************************************
EUID=`id|awk -F\( '{print substr($1,5)}'`
if [ $EUID = 0 ] ; then
# get the domainname (minus the trailing . if necessary
  DNAME=`domainname | xargs -I {} basename {} "\."`

#
# Variables need to be gathered to create a new user.
# Notably the Group (to get the GID), the UID,
#   the Comment, the Shell and the Password
#
  echo "GROUPS: \c"
  niscat group.org_dir|nawk -F: '{print $1" "}'|xargs
  echo "GROUP: [sal]\c"
  read GROUP 
  GROUP=${GROUP:-"sal"}
  GID=`niscat group.org_dir|grep ^$GROUP:|nawk -F: '{print $3}'`
  if [ -z $GID ]
  then 
    echo Group $GROUP does not exist !!!
    exit
  fi
  echo "USERS: \c"
  niscat passwd.org_dir|grep :$GID:|nawk -F: '{print $1}'|xargs
  USED=1
  while [ USED -gt 0 -o -z NAME ] ; do
    echo "NAME: \c"
    read NAME
    USED=`niscat passwd.org_dir|grep -c $NAME:`
    if [ USED -gt 0 ] ; then
      echo "Name $NAME is already in use"
    fi
  done
  echo "IDS: \c"
  niscat passwd.org_dir|grep :$GID:|nawk -F: '{print $3}'|sort -n|xargs
  echo "ID: \c"
  read ID
  echo "REAL NAME: \c"
  read COMMENT
  echo "SHELL: [/bin/csh] \c"
  read SHELL
  SHELL=${SHELL:-"/bin/csh"}
  echo "PASSWORD: \c"
  stty -echo
  read PASS
  stty echo
#
# All variables should now have been gathered
#
# Encrypt the Password
#
  CODE=`perl -e '
    srand;
    $s1= ($rnd=rand(62)) > 9 ? $rnd > 25 ? $rnd + 49 : $rnd + 17 : $rnd;
    $s2= ($rnd=rand(62)) > 9 ? $rnd > 25 ? $rnd + 49 : $rnd + 17 : $rnd;
    print crypt($ARGV[0], chr($s1+48) . chr($s2+48));
  ' $PASS`

#
# HNAME is the host server for the home directory
# EXPHOME is the directory path on the host server for home directories
#
  case $GROUP in
	sal) EXPHOME=/export/salhome;
             HNAME=lims;;
	rec) EXPHOME=/export/rechome;
             HNAME=lims;;
	sai) EXPHOME=/export/saihome;
             HNAME=s222;;
  esac

  echo ""

  nistbladm -a key=$NAME value=$HNAME:$EXPHOME/$NAME auto_home.org_dir > /dev/null
  nistbladm -a name=$NAME passwd=$CODE uid=$ID gid=$GID gcos="$COMMENT" shell=$SHELL home=/home/$NAME passwd.org_dir > /dev/null
  nisaddcred -p $ID -P $NAME.$DNAME. -l $PASS local > /dev/null
  nisaddcred -p unix.$ID@$DNAME -P $NAME.$DNAME. -l $PASS des > /dev/null
  nischown $NAME [name=$NAME],passwd.org_dir > /dev/null
  nischmod n-r,w-r,g+r [name=$NAME],passwd.org_dir > /dev/null
  nistbladm -u passwd=n-r,w-r,g+r passwd.org_dir > /dev/null

  if [ "x$HNAME" = "x`uname -n`" ] ; then
    echo "     mkdir -p $EXPHOME/$NAME
     cp /etc/skel/.[a-z]* $EXPHOME/$NAME
     chown -R $NAME:$GROUP $EXPHOME/$NAME
    " ;
  else
    echo "On Server $HNAME:
     mkdir -p $EXPHOME/$NAME
     cp /etc/skel/.[a-z]* $EXPHOME/$NAME
     chown -R $NAME:$GROUP $EXPHOME/$NAME
    "
  fi

else
  echo "You must be root"
fi
#******** end of addnisuser.sh *********

sal, rec and sai are the 3 main groups at my site and they have home dirs on 2 different servers ... it defaults to sal for the group ... and you need to have perl to do the password encryption.

 

[DedeMole]

JAD I want to thank you for your script... It is helping a lot.... When I was doing my setup I never did anything about the home directorys like you did (nistbladm -a key=$NAME value=$HNAME:$EXPHOME/$NAME auto_home.org_dir ) and I think this is where my problems start from....

Again thanks for the script it is helping a lot...